Closed Bug 887549 Opened 8 years ago Closed 8 years ago

Fall back to full parser when destructuring shorthand is used (differential testing issues with invalid object initializer)

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
major

Tracking

()

RESOLVED FIXED
mozilla25

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: testcase)

Attachments

(1 file)

(function() {
    evalcx("function f(){x={y}}", this)
})()
try {
    (function() {
        f.e = (function() {})
    })()
    print("".match(/()/))
} catch (e) {}

shows the following on a 64-bit deterministic threadsafe js shell on m-c rev 61c3c8b85563:

,

but shows nothing with --ion-eager.


autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/ce43d28276e4
user:        Brian Hackett
date:        Fri Jun 14 05:58:28 2013 -0600
summary:     Bug 678037 - Enable lazy JS parsing and fix various bugs, r=waldo,evilpie,nobody.

Setting needinfo for bhackett as this may cloud other correctness bugs.
Flags: needinfo?(bhackett1024)
function f(){
    ({ invalidObjectInitializer });
}
(function() {
    f.e = null;
})()

somehow turns f's
  "SyntaxError: invalid object initializer"
(which is delayed by lazy bytecode, see also bug 884114) into
  "uncaught exception: out of memory"
Summary: Differential Testing: Different output w/without --ion-eager involving evalcx → Differential Testing: Different output w/without --ion-eager (evalcx, invalid object initializer)
The syntax error is being reported in the bytecode emitter, which really shouldn't happen as the emitter only runs during full parses.  Fixing this so the parser emits this warning is non-trivial so this patch just falls back to a full parse/emit if destructuring shorthand is used (as we do for other language features not used much on the web).
Attachment #771713 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Assignee: general → bhackett1024
Attachment #771713 - Flags: review?(jdemooij) → review+
Summary: Differential Testing: Different output w/without --ion-eager (evalcx, invalid object initializer) → Fall back to full parser when destructuring shorthand is used (differential testing issues with invalid object initializer)
https://hg.mozilla.org/mozilla-central/rev/34adc60a3e6a
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.